{#
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
 file, You can obtain one at https://mozilla.org/MPL/2.0/.
#}

{% extends "security/base.html" %}

{% block page_title %}Bug Bounty Program FAQ{% endblock %}
{% set body_id = "faq" %}

{% block article %}
  <header>
    <h1 class="mzp-c-article-title">Bug Bounty Program FAQ</h1>
  </header>

  <p>This FAQ attempts to answer various questions about the Mozilla
    security bug bounty program. For
    more information see the
    <a href="{{ url('security.bug-bounty') }}">official guidelines</a>
    governing the program.</p>

  <h3>General questions</h3>

  <ul class="mzp-u-list-styled">
    <li><a href="#why">Why is Mozilla doing this?</a></li>
    <li><a href="#eligibility">Are Mozilla developers eligible for the bug bounty
      reward?</a></li>
  </ul>

  <h3>Eligible software</h3>

  <ul class="mzp-u-list-styled">
    <li><a href="#other-products">What applications are in scope?</a></li>
    <li><a href="#bugzilla-etc">Does the bug bounty cover bugs found in
      Bugzilla, Rust, Rhino, and other software created and distributed
      as part of the Mozilla project?</a></li>
    <li><a href="#most-recent">What do you mean by the "most recent version"
      of Firefox, and/or Firefox for Android?</a></li>
    <li><a href="#older-releases">Can I get the bug bounty reward if I
      discover a bug in an older release of Firefox, and/or Firefox for Android?
      </a></li>
    <li><a href="#third-party-releases">Can I get the bug bounty reward
      if I discover a bug that occurs in a third-party release of Firefox, and/or
      Firefox for Android,(e.g., a localized build, optimized
      build, or third-party Firefox, or Firefox for Android distribution)?</a></li>
    <li><a href="#platform-specific">Can I get the bug bounty reward if I
      discover a bug that occurs only on a particular operating system?</a></li>
    <li><a href="#nondefault-pref">Can I get the bug bounty reward for a
      vulnerability that is only triggerable with non-default preferences?</a></li>
  </ul>

  <h3>Eligible bugs</h3>

  <ul class="mzp-u-list-styled">
    <li><a href="#eligible-bugs">What types of security bugs are eligible?</a></li>
    <li><a href="#dos-bugs">Why won't you provide a reward for denial of
      service bugs?</a></li>
    <li><a href="#spoof-bugs">What type of spoofing bugs qualify for a reward?</a></li>
  </ul>

  <h3>Bug reporting, etc.</h3>

  <ul class="mzp-u-list-styled">
    <li><a href="#already-published">I've already published information
      about the bug, and didn't go through the Mozilla bug process; can I
      still get a reward?</a></li>
    <li><a href="#someone-elses-bug">Can I receive a bounty for a vulnerability
      I didn't find?</a></li>
    <li><a href="#nondisclosure">If I report the bug directly to you, do
      I have to keep the bug confidential and not publish information about
      it in order to receive a reward?</a></li>
    <li><a href="#cooperation">I don't have the time or desire to work
      with you further in investigating and fixing the bug; can I still get a
      bug bounty reward?</a></li>
  </ul>

  <h2>General questions</h2>

  <dl class="mzp-u-list-styled">
    <dt id="why">Why is Mozilla doing this?</dt>
    <dd>
      <p>Because we want to encourage more people to find and report
        security bugs in our products, so that we can make our products even
        more secure than they already are. It's as simple as that. For a historical note,
        you can see the
        <a href="https://blog.mozilla.org/press/2004/08/mozilla-foundation-announces-security-bug-bounty-program/">original announcement</a> from 2004.</p>
    </dd>

    <dt id="eligibility">Are Mozilla developers eligible for the bug bounty reward?</dt>
    <dd class="answer">
      <p>If you don't work for Mozilla Foundation or its subsidiaries, and
        are not among the creators or reviewers of the code in which the bug
        was found - Yes. However, if you found this bug as part of your job (in
        other words, while being paid to work on Mozilla software) then we'd
        appreciate it if you would not apply for the bounty in order to preserve our
        limited funds for rewarding volunteer contributors.</p>
    </dd>
  </dl>

  <h2>Eligible software</h2>

  <dl class="mzp-u-list-styled">
    <dt id="other-products">What applications are in scope?</dt>
    <dd>
      <p>The primary applications we offer bounties for are the most recent
        version of Firefox or Firefox ESR; Firefox for Android, and Firefox
        for iOS. Bounties may be awarded for other non-Beta non-End-of-Life products offered by Mozilla which are included in the <a href="https://www.mozilla.org/en-US/security/web-bug-bounty/">Web bug bounty program</a>; however, whether
      a bounty is awarded and the amount will be subject to the committee.</p>
    </dd>

    <dt id="bugzilla-etc">Does the bug bounty cover
      bugs found in Bugzilla, Rust, Rhino, and other software created
      and distributed as part of the Mozilla project?</dt>
    <dd>
      <p>No. We have decided to use our limited resources to focus on our
        end-user products, as opposed to the other software produced and used
        by the Mozilla project. However, we do offer a
        <a href="https://www.mozilla.org/en-US/security/web-bug-bounty/">Web
        Bug Bounty</a> for the Mozilla web sites and services we run for
        Firefox for our users.</p>
    </dd>

    <dt id="most-recent">What do you mean by the "most recent version" of
      Firefox, and/or Firefox for Android?</dt>
    <dd>
      <p>In general we mean the nightly release available for download on
        the <a href="https://ftp.mozilla.org/pub/firefox/nightly/">Mozilla
        ftp site</a> at the time the bug was reported. However we will also
        consider paying rewards for security bugs as discussed in the questions
        and answers below.</p>
    </dd>

    <dt id="older-releases">Can I get the bug
      bounty reward if I discover a bug in an older release of Firefox and/or
      Firefox for Android?</dt>
    <dd>
      <p>In general bugs found in earlier releases are eligible for a
        reward only if we can reproduce the problem using the most recent
        version.</p>

      <p>However as an exception we will typically also pay a reward for
        bugs found in the latest versions of our other channels (Release,
        Beta, and Extended Support Release channels) if the bugs are not
        present in their most recent version but were never recognized
        and fixed as security bugs. (For example, the bug might be in
        code associated with a feature that was removed and/or heavily
        modified in the most recent version, and might have been "fixed"
        solely as a byproduct of other unrelated changes.)</p>
    </dd>

    <dt id="third-party-releases">Can I get the bug
      bounty reward if I discover a bug that occurs in a third-party release
      of Firefox, Firefox and/or Firefox for Android (e.g., a localized
      build, optimized build, or third-party Firefox or Firefox for Android)?</dt>
    <dd>
      <p>Yes, if the bug can be reproduced in an official Mozilla
        Foundation release and otherwise meets the published guidelines.</p>
    </dd>

    <dt id="platform-specific">Can I get the bug
      bounty reward if I discover a bug that occurs only on a particular
      operating system?</dt>
    <dd>
      <p>Yes, if the operating system is officially supported by the most
        recent version of the product for which you're reporting the bug. (For
        a list of supported operating systems and hardware configurations see
        the system requirements for <a href="{{ url('firefox.sysreq') }}">Firefox</a> or
        <a href="{{ firefox_url('android', 'sysreq') }}">
        Firefox for Android</a>)</p>
    </dd>

    <dt id="nondefault-pref">Can I get the bug bounty reward for a vulnerability
      that is only triggerable with non-default preferences?</dt>
    <dd>
      <p>If the preference is exposed via our Preferences Page; we consider
        that to be a supported configuration for Firefox.  If the preference
        is enabled by default in a current Firefox channel (e.g. Nightly or
        Beta) it is also considered supported. If the preference must be
        configured via about:config or requires other non-standard Operating
        System configuration, that is typically not considered a supported
        configuration. While we may rate these issues as sec-high for our own
        purposes, they represent an exception to the standard bounty amounts
        for these ratings, and typically will not receive a bounty or, at most,
        a reduced bounty.</p>
    </dd>
  </dl>

  <h2>Eligible bugs</h2>

  <dl class="mzp-u-list-styled">
    <dt id="eligible-bugs">What types of security bugs are eligible?</dt>
    <dd>
      <p>Reproducible security bugs that are determined to be rated
        <a href="https://wiki.mozilla.org/Security_Severity_Ratings/Client">
        sec-high</a> or above are eligible. In general we consider high
        severity security bugs to be those that allow execution of arbitrary
        code on users' systems or allow access to users' confidential
        information. In the latter case we consider bugs to be sec-high only
        if they potentially expose high-value personal information (e.g.,
        passwords, credit card numbers, and the like); in the context of the
        bug bounty program we do not consider bugs to be sec-high if they
        potentially expose only lower-value information (e.g., browsing history)
        or information that would be useful primarily for other exploits
        (e.g., the names of files or directories on the user's system).</p>

      <p>Finally, in general we do not consider bugs that permit only denial of
        service attacks to be eligible in the sense described above.</p>
    </dd>

    <dt id="dos-bugs">Why won't you provide a reward for denial of service (DoS) bugs?</dt>
    <dd>
      <p>Because DoS bugs are generally less serious than other security
        bugs (e.g., they typically do not lead to corruption or destruction of
        user data, much less theft of data), and in many cases a DoS attack
        does not involve an actual bug but simply misuse of standard product
        features (e.g., putting up a web site with an excessive number of
        graphics, sending excessively long mail messages, etc.). We have
        decided to concentrate our limited resources on rewarding people who
        find what we consider to be more serious security problems.</p>
    </dd>

    <dt id="spoof-bugs">What type of spoofing bugs qualify for a reward?</dt>
    <dd>
      <p>Spoofing bugs that are rated
        <a href="https://wiki.mozilla.org/Security_Severity_Ratings/Client">sec-high</a>
        are elligible for a bounty.  The severity rating page is authoritative, but to
        reiterate these bugs require a fairly high level of attacker control - specificaly
        attacker controlled HTML with an attacker-controlled URL in the actual browser
        address bar, retaining normal badging and iconography. When a bug is limited in
        one aspect of this, we encourage you to explore ways to bypass that
        limitation - your proof of concept should include a fully functional
        compelling example fo a high-quality spoof.</p>
      <p>Most URL, fullscreen, address bar, or browser chrome spoofing bugs will be rated
        as sec-low, and we do not plan to pay a bounty on them; even when we use our
        discretion to elevate certain bugs to a sec-moderate.  Many of the bugs in these
        categories represent edge cases, partial obscuring of information, or unusual user
        interaction.</p>
    </dd>
  </dl>

  <h2>Bug reporting, etc.</h2>

  <dl class="mzp-u-list-styled">
    <dt id="already-published">I've already published information about the bug,
      and didn't go through the Mozilla bug process; can I still get a reward?</dt>
    <dd>
      <p>Depending on the manner in which it was published, and the details that
        were disclosed, it may be possible; however typically we do not pay
        bounties in situations where developers need to drop existing work to
        respond to an urgent fix needed due to a public disclosure.</p>

      <p>We encourage people to <a
        href="https://bugzilla.mozilla.org/form.client.bounty">
        report bugs directly</a> to the Mozilla project, in order to ensure that the
        bug is made known as soon as possible to the people who can fix it.</p>
    </dd>

    <dt id="someone-elses-bug">Can I receive a bounty for a vulnerability I didn't
      find?</dt>
    <dd>
      <p>Sometimes, yes. For example, if you find a Firefox exploit in the wild
        that uses a previously unknown vulnerability and report it, you can be
        eligible for a bounty for that vulnerability even though you didn't
        discover the vulnerability itself.</p>
    </dd>

    <dt id="nondisclosure">If I report the bug
      directly to you, do I have to keep the bug confidential and not publish
      information about it in order to receive a reward?</dt>
    <dd>
      <p>No. We're rewarding you for finding a bug, not trying to buy
        your silence. However if you report the bug through the standard
        Mozilla process and haven't already published information about it then
        we do ask that you follow the guidelines set forth in the official
        policy on <a href="{{ url('mozorg.about.governance.policies.security.bugs') }}">handling
        Mozilla security bugs</a>. Under this policy security-sensitive bug
        reports in our Bugzilla system may be kept private for a limited period
        of time to give us a chance to fix the bug before the bug is made
        public, with an option for the bug reporter (or others) to open the bug
        to public view earlier whenever circumstances warrant it (e.g., if your
        bug report is being completely ignored).</p>
    </dd>

    <dt id="cooperation">I don't have the time or
      desire to work with you further in investigating and fixing the bug;
      can I still get a bug bounty reward?</dt>
    <dd>
      <p>Yes. Again, we're rewarding you for finding a vulnerability, not
        trying to buy your cooperation. However we invite you to work together
        with us to resolve the issue; and doing so can increase the reward that
        is ultimately paid. You'll also get the opportunity to work as a full
        member of the team fixing your bug and see "from the inside" exactly
        how Mozilla security bugs get resolved.</p>
    </dd>
  </dl>
{% endblock %}
